4.
ciyinet
FORESTS
- Domains are structured into trees and forests
- A tree is a collection of related domains
- A forest is a collection of trees that trust each others
- Only one “Enterprise Admins” group per forest
- Exists in root domain only
- Non-existing in child domains
- Added as local admin in child domain’s DCs
4

5.
ciyinet
TRUSTS
- Allow authentication traffic to flow between two domains
- Establish the ability for users in one domain to authenticate to
resources in another domain
5

7.
ciyinet
TRUST TRANSITIVITY
Determines if a trust can be extended outside of the two domains
- Transitive
- Extends trust relationship with other domains
- Let a trusted domain pass through to a third domain
- Non-transitive
- Denies trust relationship with other domains
7

8.
ciyinet
TYPE OF TRUSTS
Type Direction Transitivity Description
Parent-Child 2-way Transitive Automatically established when a new domain is created in a
tree
Tree-Root 2-way Transitive Automatically established when a new tree is added to a forest.
Between the new tree root and the forest root domain
External 1-way or 2-way Non-transitive Manually created between a domain in a forest and another
domain in a different forest that does not have a forest trust
established
Forest 1-way or 2-way Transitive Manually created between one forest root domain and
another forest root domain
Shortcut 1-way or 2-way Transitive Manually created between domains in the same forest that is
used to shorten the trust path in a large and complex domain
tree or forest and improve authentication times
Realm 1-way or 2-way Transitive or
Non-transitive
Manually created between an AD domain and a non-Windows
Kerberos V5 realm
References:
https://blogs.msmvps.com/acefekay/2016/11/02/active-directory-trusts
8

9.
ciyinet
TRUSTS
- All trusts within the same forest are two-way and transitive
- This is why all domains within a forest trust each other
- Users from any domain can access resources in any other
domain within the forest as long as:
- They have the proper permissions assigned at the resource
- They have network access
9

18.
ciyinet
KERBEROS ACROSS TRUSTS
When a user requests access to a resource in a different domain:
- User’s DC will not be able to issue a TGS of another domain as
TGS can only be built using the target service’s password and
DC only contain password data from security principals in their
own domain
- To solve this, the there is a trusts password between two domains
in the same AD forest used as a bridge enable Kerberos
authentication across trust
18

19.
ciyinet
KERBEROS ACROSS TRUSTS
Client in
DOMAIN-A
1. Request TGT (AS-REQ)
2. Receive TGT (AS-REP)
Server in
DOMAIN-B
DC in
DOMAIN-A
DC in
DOMAIN-B
References:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10)
https://adsecurity.org/?p=1588
3. Present TGT, request TGS (TGS-REQ)
4. Receive inter-realm TGT (TGS-REP)
Client encrypts a timestamp with their
secret (hash/key)
Client receives a TGT signed with the
DOMAIN-A krbtgt account that
proves they are who they say they
are
The TGT is then used to request TGS
for specific resources/services on the
DOMAIN-B
DC sends a TGT for DOMAIN-B signed
and encrypted using the inter-realm
key
DC sends a TGS ticket encrypted
using the hash/key of the account
that is associated with that service
(SPN)
The TGT is then used to request
service tickets (TGS) for specific
services on the domain.
TGT
I-R TGT
TGS
19

21.
ciyinet
TRUSTS ENUMERATION
So we land in the organization; the exploitation path will depend
on:
- Domain you land on and its trusts
- Privileges you manage to get in it
- User’s privileges in foreign domains
?
?
?
21

32.
ciyinet
SID HISTORY
- Used to migrate users from one domain to another
- When a user is migrated, his old SID and all groups’ SIDs he’s a
member of can be added to the attribute sidHistory
- When the user tries to access a resource, his SID and the SIDs
included in the sidHistory attribute are checked to grant/deny
access
- sidHistory is normally respected by domains within the forest. For
external/forest trusts, they are filtered out by the “SID filtering”
protection
References:
https://www.itprotoday.com/windows-78/exploiting-sidhistory-ad-attribute
https://www.harmj0y.net/blog/redteaming/the-trustpocalypse/
https://gallery.technet.microsoft.com/migrate-ad-users-to-new-2e480804/
http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
35

36.
ciyinet
RECONNAISSANCE
1. Enumerate trusts the current domain has and also trusts the
other domains have
2. Enumerate objects:
a. Enumerate security principals (i.e. users, groups, computers) in the
current domain that have access to resources in another domain
b. Enumerate groups that have users from another domain
3. Map exploitation path: what accounts need to be
compromised to move from the current position to the target
40
References:
http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/

39.
ciyinet
2. OBJECT ENUMERATION
Security principals (users/groups) can be configured to have
access to resources in another domain as:
- Members of a local group in foreign machines
- Look for foreign local group membership
- Members of a domain group in a foreign domain
- Look for foreign domain group membership
- Principals in ACEs in a DACL
- Look for foreign security principals in ACE in a foreign domain
44

47.
ciyinet
FOREIGN USER MEMBERSHIP
Enumerate users in groups outside of the user’s domain. This can
be used within the same forest
PowerView:
*Only Universal groups membership will be reflected
Get-DomainForeignUser –Domain FOREIGN DOMAIN FQDN
54

48.
ciyinet
FOREIGN GROUP MEMBERSHIP
Enumerate groups in the target domain that contains users that
are not from the target domain.
This can be used against domain within the same forest or
through a external/forest trust
PowerView:
Get-DomainForeignGroupMember –Domain FOREIGN DOMAIN FQDN
56

49.
ciyinet
FOREIGN ACL PRINCIPALS
1. Enumerate DACLs (and their ACE entries) of all objects in
domains that trusts yours
2. Only analyze ACE entries with foreign security principals
This can be used against domain within the same forest or
through a external/forest trust
PowerView to list ACE entries with security principals from our
domain:
Get-DomainObjectAcl –Domain FOREIGN DOMAIN FQDN –ResolveGUIDs | Where-Object
{$_.SecurityIdentifier –like ‘CURRENT_DOMAIN_SID*’}
57

55.
ciyinet
WRAPPING UP – “METHODOLOGY”
1. Enumerate trusts the current domain has and also trusts the other
domains have
2. Is the target within the same forest?
Yes: step 3
No: steps 4 and 5
3. Got DA-level privileges in the current domain?
Yes: use DA-level techniques
No: steps 4 and 5
4. Enumerate objects:
a. Security principals (i.e. user, groups, computers) in the current domain that have
access to resources in another domain
b. Groups that have users from another domain
c. Foreign security principals in ACE in foreign domains
5. Map exploitation path
What accounts need to be compromised to move from the current position to the
target
67

57.
ciyinet
CONCLUSIONS
- If other domain trusts our domain, we can query their AD
information
- Trusts can introduce unintended access paths
- Domain trust boundaries are not security boundaries
- Losing control of the KRBTGT account password hash of any
domain equates to losing control of the entire forest
- You must reset KRBTGT (twice) in every domain in the forest!
69

58.
ciyinet
BUSINESS RISK
Compromise of just one Domain Admin account in the Active Directory
forest exposes the entire organization to risk. The attacker would have
unrestricted access to all resources managed by all domains, users, servers,
workstations and data.
Moreover, the attacker could instantly establish persistence in the Active
Directory environment, which is difficult to notice and cannot be efficiently
remediated with guarantees.
“Once Domain Admin, always Domain Admin”
“Once any Domain Admin, always Enterprise Admin”
70